Service Organization Control Reports

With the growth in business specialization, many entities outsource tasks or functions to other entities (service organizations). In some cases, the service organization generates data or other information that is incorporated in the user entity’s financial statements. Because the auditor is responsible for auditing all the information in the user entity’s financial statements, including the information generated by the service organization, the auditor must find a way to obtain evidence about the financial statement assertions affected by the service organization.


One of the most efficient ways of doing so is to obtain a service auditor’s report, which provides information and an independent CPA’s opinion on whether the service organization’s description of its system is fairly presented, and whether the controls over that system were suitably designed (and in a type 2 report operating effectively). The controls addressed in SSAE No. 16 are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities. SSAE No. 16 replaces SAS 70.


What is a SOC 1 Report?
SOC 1: Statement on Standards for Attestation Engagements, (SSAE) 16 "Reporting on Controls at a Service Organization" as published by the AICPA.  SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements, specifically, internal control over financial reporting.  There are two types of SOC 1 reports:
• Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description of a specified date.

• Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description through a specified period.


What is a SOC 2 Report?
 SOC 2: Attestation Standards, Section 101 of the AICPA Codification Standards (AT Section 101).  "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy ", as published by the AICPA.  SOC2 reports specifically address one or more of the following key system attributes:
• Security - The system is protected against unauthorized access (both physical and logical).
• Availability - The system is available for operation and use as committed or agreed.
• Processing integrity - System processing is complete, accurate, timely and authorized.
• Confidentiality - Information designated as confidential is protected as committed or agreed.
• Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
In summary, the intended Users of each Report for SOC 1 include External financial statements auditors of the user organization's financial statements, management of the user organizations, and management of the service organization. For SOC 2 they include relevant parties that are knowledgeable about the services provided by the actual service organization and that they have a true and credible need for utilizing a SOC 2 report.